CAPTCHA Images

**RFH Reseller: JohnnyW** · 20th January 2006, 11:26 AM

I've got a few sites both in classic ASP and ASP.net which are now falling foul of spambots automatically submitting forms.

In the words of Alan Partridge - "Scum, sub-human scum"

So I need to look at implementing a CAPTCHA image solution, has anyone implemented it before. Ideally I'd like a solution which I could use on both my ASP and ASP.net site, so possibly a component if Warren would be willing to install it.

Any feedback, info or recommendations would be greatly appreciated.

**Staff: Warren Ashcroft** · 20th January 2006, 11:47 AM

We currently use a CAPTCHA solution, it simply uses the PHP GD libraries to generate the image - but if you need something installing just open a ticket.

EG:

http://www.redfoxaddons.com/includes...=201&height=91

**RFH Reseller: JohnnyW** · 20th January 2006, 12:03 PM

Thanks Warren, just been having a play with this ASP.net control on my local computer - http://dotnetfreak.co.uk/blog/archiv...11/06/166.aspx

It's very very impressive and easy to use. But I take it if I wanted to use this on an RFH server it wouldn't work due to medium trust issues?

**RFH Reseller: Sol** · 20th January 2006, 02:02 PM

Seeing this in the description:

Image is rendered on demand (either inline or using an Image Provider), and not saved as a file.

Should imply that it will indeed run in Medium Trust. However, an easy way to test would be to set you local machine Web.Config to run in medium trust and see if it breaks.

I haven't downloaded it, but it seems as though sources are available in which case if it doesn't run in medium trust, we could probably modify it so that it will.

I also had a quick thought about integrating this with ASP, so wanted to see the URL for the image:

Code:

http://dotnetfreak.co.uk/blog/archive/2004/11/06/166.aspx?__formShieldID=PostComment.ascx-hip1-formshield1&properties=URuu/2feelb1J2nah46yq9qcBly+VB7nOeMOg+aD5lwi1AU4bir+dgOVC9MkOgVHNNkzgqNkjhNSIQuZIBf

Seems to me that this is a bit long and the 'properties' variable should be made shorter.

**RFH Reseller: JohnnyW** · 20th January 2006, 02:18 PM

Thanks Sol, it did unfortunatly break in medium trust :crying:, here's the stack trace -

Code:

[SecurityException: That assembly does not allow partially trusted callers.]
   ASP.signup_aspx.__BuildControlFormShield2() in c:\Inetpub\wwwroot\SWSE\Signup.aspx:8
   ASP.signup_aspx.__BuildControl__control4() in c:\Inetpub\wwwroot\SWSE\Signup.aspx:5
   ASP.signup_aspx.__BuildControl__control3(Control __ctrl) in c:\Inetpub\wwwroot\SWSE\Signup.aspx:4
   System.Web.UI.CompiledTemplateBuilder.InstantiateIn(Control container) +12
   ASP.sitetemplate_master.__BuildControlMainContent() in c:\Inetpub\wwwroot\SWSE\SiteTemplate.master:24
   ASP.sitetemplate_master.__BuildControlTree(sitetemplate_master __ctrl) in c:\Inetpub\wwwroot\SWSE\SiteTemplate.master:1
   ASP.sitetemplate_master.FrameworkInitialize() in c:\Inetpub\wwwroot\SWSE\SiteTemplate.master.cs:912307
   System.Web.UI.UserControl.InitializeAsUserControlInternal() +31
   System.Web.UI.MasterPage.CreateMaster(TemplateControl owner, HttpContext context, VirtualPath masterPageFile, IDictionary contentTemplateCollection) +1978576
   System.Web.UI.Page.get_Master() +48
   System.Web.UI.Page.ApplyMasterPage() +18
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6953
   System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +154
   System.Web.UI.Page.ProcessRequest() +86
   System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +18
   System.Web.UI.Page.ProcessRequest(HttpContext context) +49
   ASP.signup_aspx.ProcessRequest(HttpContext context) in App_Web_x8j73isn.0.cs:0
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +154
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64

The properties variable is quite long but there are heaps of properties (which is what I like about this control) you can set for the image which is a good thing as spambots are getting clever. There is a property for encrypting the query string, which by default is set to true for obvious reasons. Without it encrypted it looks like this -

Code:

Signup.aspx?__formShieldID=ctl00$MainContent$FormShield2&backFillStyle=Gradient&backColor=-256&backColor2=-65536&foreFillStyle=Gradient&foreColor2=-4144960&textEffect=EqualSpacingAngle&text=YGP2T5&noiseFillStyle=Hatch&noiseColor=16777215&noiseColor2=-23296&noiseLevel=20

**RFH Reseller: Sol** · 20th January 2006, 02:59 PM

If you have the sources try settings the 'AllowPartiallyTrustedCallers' attribute in the AssemblyInfo.cs file.

If you have no luck post a message here, as I'll have a crack at making a Medium trust version of it over the weekend (I'll also optimize the property string string a bit).

I have a need for this control as well, so won't be wasting my time. However, I may also need to use this with ASP or other web technologies, so may look at using a common encryption library.

**RFH Reseller: JohnnyW** · 20th January 2006, 03:13 PM

Sounds like you're in the same boat as me Sol. I think automatic form submissions are becoming more and more common.

At the moment it's 2 older classic ASP sites that's getting hit but also want to add this two a couple of .net sites I have and one that i'm currently developing.

I couldn't see a link on the site for downloading the sources only the dll file.

I also found this post on the site from the developer answering someone who was having medium trust problems -

Hi Rick,

Ah, the trust problem does need a new compile, unfortunately with work committments at the moment I don't really have the time to put this right.

If you have a good relationship with your Web host, you could ask them to permit your applications to run in full trust. All they need to do is change their machine.config for your specific sites/applications.

I'm intending to release .NET 2.0 versions of my controls, but at the moment it's going to have to wait for a month.

Sorry!

There's a couple of other sites showing you how to create CAPTCHA images using GDI+ but I kinda liked the way this control worked and the properties built in.

I would have thought Microsoft would have created a server control in 2.0 considering how much of a problem it's becoming.